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I.  INTRODUCTION:  THE  BASIS  OF  QUANTUM  COMPUTING 


A.  SCHRODINGER,  EPR,  AND  BELL  (OR,  WHEN  A  TREE  FALLS  IN  THE 
FOREST...) 

Quantum  information  is  a  major  initiative  in  the  physical  and  informational 
sciences  which  traces  its  roots  back  to  the  gedanken  experiments  of  Schrodinger  and 
Einstein,  Podolsky,  and  Rosen  (EPR).  EPR,  following  a  “Schrodinger’ s  cat”  line  of 
thinking  in  an  attempt  to  validate  the  “no-dice”  opposition  to  quantum  theory,  pointed  out 
that  the  linear  superposition  principle  of  quantum  mechanics  implied  that  so-called 
“entangled”  states  allowed  by  the  theory  could  be  created  in  such  a  way  as  to  violate 
supposedly  natural  criteria  (such  as  locality).  In  their  quest  for  a  deterministic  explana¬ 
tion,  EPR  concluded  that  quantum  mechanics  was  invalid  and  that  the  notional  collapse 
of  a  superposition  of  quantum  states  was  illusory.  That  is,  the  evolution  of  quantum  states 
was  deterministic  but  somehow  hidden  from  measurement.  Bell  [12]  sought  to  address 
these  ideas  in  formulating  the  Bell  inequalities  for  hidden  variable  theories;  these 
inequalities  were  experimentally  testable  hypotheses  which  could  conclusively  confirm 
or  deny  the  nondeterminism  of  quantum  mechanics. 

The  first  test  of  Bell’s  inequalities  was  conducted  by  Lamehi-Rachti  and  Mittig 
[90]  in  1976;  their  results  disagreed  with  hidden-variable  interpretations  but  were 
inconclusive.  Later  experiments  progressively  wore  away  at  hidden-variable  theories;  in 
1996,  the  creation  of  a  quantum  superposition  was  experimentally  verified  [106],  and  the 
days  of  the  hidden-variable  theories  were  conclusively  over. 

The  resolution  of  this  basically  metaphysical  issue  has  significant  implications  for 
national  security  and  the  physical  and  informational  sciences.  Its  potentially  profound 
effect  on  the  evolution  of  these  fields  (and,  in  particular,  their  intersection)  is  the 
motivation  for  this  discussion. 

B.  PROTOTYPE  TWO-STATE  QUANTUM  SYSTEMS:  QUBITS 

Consider  (via  identification  or  analogy  with,  e.g.,  the  polarization  of  a  photon  or 
the  spin  of  an  electron)  a  quantum-mechanical  system  whose  Hilbert  or  state  space  Tfis 
generated  by  two  basis  states,  denoted  |0)  and  |1).  A  general  state  | a)  is  then  a  unit  norm 
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linear  superposition  of  the  basis  states.  That  is,  we  have  | a)  =  ct|0)  +  j3|l),  with  |of  +  |/3|2  = 
1 .  We  refer  to  such  a  state  as  a  qubit.  The  probability  that  measurement  of  a  qubit  |a) 
results  in  the  outcome  of  state  |0)  (resp.,  |1»  is  \a\2  (resp.,  |/?|2).  We  can  use  an  operator 
rather  than  a  state  vector  to  describe  the  system;  in  this  setting  we  consider  the  density 
matrix  pa  =  \a)(a\.  Measurements  correspond  to  the  projection  operators  n0  =  |0><0|  (resp., 
Kx  =  |1>(1|),  and  the  associated  probabilities  can  be  obtained  by  noting  that  7V(|0)(0|pj  = 
a  (resp.,  7V(|l>(l|pfl)  =  $. 

Now  consider  a  collection  of  n  such  systems:  the  Hilbert  space  7/"  of  the  resulting 
composite  system  is  the  tensor  product  of  the  subsystems,  which  has  dimension  2" .  A 
general  state  is  now  a  linear  superposition  of  the  basis  states  (which  can  be  expressed  as 
bit  vectors  or  decimal  numbers  in  the  canonical  computational  basis)  in  HP .  It  is  easy  to 
see  that  there  are  then  necessarily  states  in  HP  which  are  not  themselves  tensor  products 
of  qubits;  these  are  referred  to  as  entangled  states.  Using  the  shorthand  \ab)  or  \a)\b)  for 
\a)®\b)  (and  ignoring  a  normalization  factor),  we  note,  for  example,  that  |00)  +  1 1 1 )  is 
such  a  (maximally)  entangled  state,  called  an  EPR  pair,  of  which  a  measurement  in  the 
computational  basis  can  result  in  only  two  possible  outcomes  (|00)  or  |1 1)) — whereas  in 
genera]  a  measurement  of  a  two-qubit  system  may  result  in  any  of  four  possible  outcomes 
(|00>,  |01),  1 10)  or  |11». 

C.  QUANTUM  PARALLELISM  VIA  ENTANGLEMENT 

The  notorious  difficulty  of  the  quantum-mechanical  A-body  problem  is  a 
consequence  of  the  fact  that  linear  growth  in  the  number  of  particles  results  in 
exponential  growth  in  the  dimension  of  the  Hilbert  space — and  hence  in  the  cost  of 
simulation.  Theoretical  work  on  the  thermodynamics  of  classical  computation  by  Bennett 
[15]  and  Fredkin  and  Toffoli  [60]  and  on  the  simulation  of  Turing  machines  with 
quantum  systems  by  Benioff  [13]  led  Feynman  [57]  to  argue  that  this  problem  could  in 
some  sense  be  its  own  solution:  a  quantum  mechanical  system  that  was  more  or  less 
impossible  to  simulate  classically  could  be  effectively  simulated  by  another  quantum 
mechanical  system.  (In  fact,  a  quantum  computer  can  do  the  job,  as  we  will  see;  quantum 
mechanical  simulation  would  probably  be  the  first  real  use  of  the  technology  if  a  fully 
operational  quantum  computer  with  over  30  or  so  qubits  was  developed  [94],  [95].) 

Introducing  the  Walsh-Hadamard  operator  (with  matrix  in  the  computational 

basis), 
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we  see  that  W]0)  =  (|0)  +  |1))/V2.  That  is,  applying  the  Walsh-Hadamard  operator  to  the 
“ground”  state  gives  a  uniform  superposition  of  the  basis  states.  This  operator  (geometri¬ 
cally  realized  as  the  composition  of  a  rotation  and  a  reflection)  is  a  precursor  to  more 
sophisticated  unitary  operators  or  quantum  gates.  If  we  consider  the  tensor  product  Wn 
(acting  on  Jf)  of  n  single-qubit  Walsh-Hadamard  operators,  we  obtain 


w- 10  *  2  >  -  -j-L  (- 

n  n  n 

where  i  m  £ ik  2k ,  |i )  *  ®\ik );  (i,  j)=  ]T  4 h  ■ 

k=\  k= 1 


Forming  WJO...O)  =  W|0)  ®  ...  ®  W|0),  we  obtain  a  uniform  superposition  of  all  the  basis 
states  in  the  total  Hilbert  space;  a  measurement  results  in  an  outcome  of  an  arbitrary  bit 
string  of  length  n  with  probability  2~n.  Applying  a  quantum  gate  to  this  superposition  is 
equivalent  to  superposing  the  states  resulting  from  applying  the  gate  to  each  (suitably 
normalized)  basis  state.  This  is  the  prototype  of  quantum  parallelism. 

Although  measurements  of  such  a  state  give  a  procedure  for  generating  random 
numbers,  it  is  far  from  clear  how  to  generalize  it  (much  less  actually  physically  imple¬ 
ment  it)  in  such  a  way  as  to  actually  do  anything  useful  that  could  not  be  achieved  much 
more  easily  with  (say)  a  radioactive  decay  source.  Indeed,  the  bright  light  of  quantum 
parallelism  casts  a  dark  shadow  of  quantum  measurement  and  decoherence.  Even  if  we 
can  somehow  implement  a  technique  for  entangling  and  manipulating  qubits,  we  are  lost 
without  a  way  to  measure  the  desired  basis  state  with  a  probability  greater  than  2~n  or  if 
the  environment  collapses  our  superpositions.  The  discovery  of  a  realizable  algorithmic 
technique  (the  quantum  Fourier  transform)  by  Coppersmith  [44]  for  generating  construc¬ 
tive  interference  of  desirable  states  marked  a  crucial  step  towards  realizing  the  utility  of 
quantum  computation. 


D.  DECOHERENCE 

One  of  the  fundamental  tenets  of  quantum  mechanics  is  that  a  measurement 
collapses  a  quantum  superposition  into  a  fixed  state.  The  question  of  precisely  what 
defines  a  measurement  is  subtle,  however;  indeed,  interactions  between  the  external 
environment  and  a  quantum  superposition  will  generally  force  nondiagonal  elements  of 
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the  density  matrix  to  become  negligible,  and  the  initially  coherent  phases  of  subsystems 
will  decouple. 

Efficient  algorithms  for  quantum  computation  can  provide  an  answer  to  the 
measurement  problem  as  applied  to  a  system  of  qubits  isolated  from  their  environment, 
but  in  fact  a  system  of  qubits  will  rapidly  interact  with  its  environment — no  matter  how 
weak  the  coupling — and  the  superposition  will  effectively  collapse.  The  degree  to  which 
this  process  of  decoherence  can  be  delayed  is  the  x-factor  in  building  real-world  quantum 
computers. 

Omnes  [109]  sketches  a  mechanism  for  the  decoherence  of  a  single  qubit  as  a 
consequence  of  interaction  with  an  (internal)  environment  of  n  (externally)  noninteracting 
qubits;  we  will  follow  his  treatment.  Such  a  system  can  be  described  by  a  Hamiltonian  of 
the  form 


n  A_1  „ 

H  =  =  o Y  ®  Id,  <B> o.  ®  ®  Id.  , 

~  M  1  1  1 

where  <3(k)  =  -|0)(0|w  +  1 1 )( 1  |{jt),  Id(k)  denote  single-qubit  identity  operators,  and  gk  are 
coupling  constants.  The  state 


|T(r)  =  a|0)  +  pke-is‘'\l\  >  *|l)®  foe-**'  |o)(  +  jV**'  |l)< ) 

then  satisfies  the  Schrodinger  equation;  the  reduced  density  matrix  for  the  qubit  (obtained 
by  performing  a  partial  trace  over  the  environmental  degrees  of  freedom)  is 

p  =  7>/;|4'(f))(T(r)|  =  \a\2\ 0><0|  +  H2|  1)(1 1  +  z(t)ab\ 0)(1|  +  z(t)ab\  1)(0|  ; 


It  can  be  shown  that 


*)-n  c°s2,,-/(iai2 


If  the  initial  state  of  the  environment  (i.e.,  the  distribution  ofaj,  fSk)  is  random,  then  this 
quantity  is  exponentially  small.  This  effective  diagonalisation  of  the  density  matrix  is  the 
hallmark  of  decoherence:  the  probabilities  of  quantum  superpositions  decrease  rapidly  as 
a  result  of  interactions. 

Avoiding  decoherence  in  experiments  (much  less  actual  physical  quantum 
computers  or  channels)  is  made  especially  difficult  because  of  interactions  with  the 
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external  environment,  which  is  a  much  harder  problem  to  address  than  avoiding 
undesired  qubit-qubit  interactions.  Consider  for  example  the  case  of  a  harmonic  oscillator 
weakly  coupled  to  a  bath  of  harmonic  oscillators  [109].  If  the  harmonic  oscillator  is 
prepared  in  a  superposition  of  two  harmonic  oscillator  coherent  states,  the  decay  of  the 
off-diagonal  elements  is  exponential  with  a  characteristic  time  given  by 

2hr 

*£  —  - 

mco^x^O)- x2(0)f 

(the  expression  given  in  [109]  contains  errors)  where  r  is  the  damping  time  of  the 
oscillator.  For  a  quartz  oscillator  with  fundamental  frequency /=  2 nco  =  50  MHz,  mass  m 
~  10'25  kg  (mass  of  the  Si02  molecule),  initial  coherent  state  separation  Ax  =  x,(0)  -  x2(0) 
=  10"10  m  (1  A),  and  Q  =  cor  ~  103,  we  find  r0  »  3  s.  If  we  include  the  effects  of 
temperature  the  characteristic  time  is  [137] 

h2x 

'l  =  .  _ _ — .  , 

T  2m£7’(x1(0)-x2(0))2 

The  ratio  of  characteristic  times  is  given  by  rT/t0  =  hco/kT,  that  is,  by  the  ratio  of  excited 
to  thermal  energies.  So  the  same  quartz  oscillator  at  T  =  300  K  has  a  characteristic 
decoherence  time  of  about  0.3  ps,  indicating  the  dramatic  and  constraining  effects  of 
temperature.  (DiVincenzo  [49]  lists  decoherence  times  for  other  physical  systems  that 
have  been  proposed  for  quantum  computer  realizations.).  Low  temperatures  can  delay  the 
onset  of  decoherence  (indeed,  the  first  evidence  of  a  macroscopic  quantum  superposition 
was  recently  obtained  for  a  superconducting  quantum  interference  device  at  a  few 
degrees  Kelvin  [Al]). 

To  use  a  system,  it  must  have  some  coupling  to  the  external  environment,  and  it  is 
therefore  subject  to  rapid  decoherence.  This  Catch-22  can  be  circumvented  by  employing 
quantum  error-correcting  codes,  whose  independent  discovery  by  Shor  and  Calderbank 
[34]  and  Steane  [127]  made  quantum  information  technology  a  realistic  goal.  But 
whether  that  goal  will  ever  be  fulfilled  (and  if  so,  when — and  how)  is  still  an  open 
question. 

E.  THE  STATE  OF  THE  ART 

The  high  degrees  of  interest  and  promise  in  quantum  communication  and 
quantum  computation  are  largely  due  to  the  central  results  of  Bennett  and  Brassard  [16], 
who  designed  a  provably  secure  [123]  communication  protocol  (BB84)  using  a  quantum 
channel,  and  Shor  [122],  who  devised  an  algorithm  for  finding  the  period  of  a  sequence 
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exponentially  faster  than  currently  possible.  This  technique  can  be  used  to  efficiently 
factor  composite  numbers  or  to  calculate  discrete  logarithms,  and  so  public-key 
cryptosystems  and  authentication  protocols  based  on  the  supposed  computational 
infeasibility  of  these  number-theoretic  problems,  such  as  (among  others)  RSA  [115], 
ElGamal  [55],  and  the  Digitial  Signature  Algorithm  (DSA) — the  key  element  of  the 
federal  Digital  Signature  Standard  (DSS)  [59] — would  therefore  be  rendered  useless  in 
the  face  of  a  quantum  computational  attack. 

Various  search  algorithms  proposed  by  Grover  [67]  and  others  raise  the 
possibility  of  pattern-matching  and  recognition  schemes  of  hitherto  unimaginable  power. 
Simulation  of  quantum  mechanics  and  other  physical  systems  [1],  [2],  [25],  [135]  could 
provide  the  tools  necessary  to  design  nanostructures  [8],  A  number  of  applications  to 
statistical  and  numerical  analysis  (e.g.,  [3]),  signal  analysis,  and  so  forth,  have  been 
discovered  that  are  possible  only  in  the  realm  of  quantum  computation.  Exploitation  of 
the  universality  and  quasi-physical  evolution  properties  of  quantum  cellular  automata 
[39],  [131]  also  holds  theoretical  and  practical  promise  [14],  [25],  [103],  [134],  Further 
significant  theoretical  advances  are  almost  surely  on  the  horizon. 

Finally,  although  decoherence  poses  a  formidable  obstacle  to  the  realization  of 
quantum  computers  even  with  the  use  of  quantum  error-correcting  codes,  experiment¬ 
alists  have  nevertheless  recently  constructed  entangled  states  of  four  [116]  and  seven  [85] 
qubits  using  ion  trap  [128]  and  liquid-state  NMR  [79]  architectures,  respectively. 
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II.  BASIC  THEORETICAL  MODELS 


A.  LOGIC  GATES 

It  so  happens  that  universal  sets  of  logic  gates  suffice  to  perform  classical  digital 
computation.  If,  for  example,  we  consider  the  XOR  (exclusive-OR  or  controlled  NOT) 
and  AND  gates  (which  correspond,  respectively,  to  addition  and  multiplication  in  the 
field  F2  =  Z2),  we  can  write  any  Boolean  operation  as  an  appropriate  composition  of  these 
operations. 

The  principle  of  unitary  evolution  in  quantum  mechanics  leads  to  time  symmetry, 
however,  and  therefore  any  classical  logic  gates  that  we  hope  to  carry  over  to  the 
quantum  regime  must  be  reversible.  Indeed,  Landauer  [82]  and  Bennett  [15],  in  their 
analyses  of  fundamental  lower  bounds  on  heat  dissipation  resulting  from  computation, 
showed  that  models  of  classical  reversible  computers  could  be  constructed.  Key  to  such  a 
construction  is  the  augmentation  of  nominally  one-output  gates.  For  example,  the 
augmented  (reversible)  XOR  gate  acts  as  A,B\-+  A,A@B.  It  is  noteworthy  that  a  quantum 
XOR  gate  was  physically  realized  in  an  ion  trap  as  long  ago  as  1995  [106].  This  is  by  no 
means  a  trivial  thing:  a  quantum  XOR  gate  acting  on  the  (normalized)  state  |00)  +  |10) 
produces  an  EPR  pair,  and  vice  versa. 

DiVincenzo  showed  [50]  that  two-qubit  gates  can  be  combined  to  form  a 
universal  three-qubit  gate  and  hence  that  two-bit  gates  are  universal  for  quantum 
computation.  However,  the  gate  decomposition  provided  therein  was  impractical.  Sleator 
and  Weinfurter  proved  that  the  gate  with  matrix  in  the  canonical  computation  basis 

'l  0  0  0  > 

0  10  0 
0  0  em,A  cos  ltd  e~”/4sin  nd 
v0  0  e~m/A  sin  it 6  en>,i  cos  ltd  j 

is  universal  [126].  Lloyd  went  further  and  demonstrated  that  almost  any  quantum  gate 
with  multiple  inputs  is  universal.  The  key  to  this  discovery  was  the  realization  that  the 
algebra  generated  by  two  distinct  n-qubit  Hamiltonians  is  the  space  of  Hermitian 
operators  on  7fn ,  unless  both  Hamiltonians  lie  in  a  submanifold  of  positive  codimension 
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[95],  Finally,  it  was  demonstrated  that  one-bit  and  quantum  XOR  gates  form  a  universal 
set  [6]. 

Therefore,  we  can  formally  consider  quantum  computers  as  universal  models  for 
computation.  The  role  in  quantum  computation  analogous  to  that  of  Turing  in  the  arena 
of  classical  computation  could  be  said  to  have  been  filled  by  Feynman;  it  is  to  his 
construction  we  now  turn. 

B.  FEYNMAN’S  QUANTUM  METAPROGRAM 

The  first  step  in  devising  algorithms  and  programs  to  run  on  a  formal  quantum 
computer  was  taken  by  Feynman  [57],  who  constructed  a  metaprogram  in  the  guise  of  a 
Hamiltonian  on  n  +  k  +  1  qubits, 

A-] 

f=0 

where  a  *,  a,  are  the  creation  and  annihilation  operators  (sending  |0)  to  1 1  >  and  1 1 )  to  |0), 
respectively)  on  the  ith  qubit,  and  A,  represents,  for  example,  two-qubit  gates  acting  on  n 
qubits.  In  Feynman’s  proposal  the  (k  +  1)  “program  counter  sites”  (qubits)  were  initially 
set  to  |0)  save  for  the  initial  qubit,  which  was  set  to  |1);  the  Hamiltonian  would  then 
propagate  this  “cursor”  state  down  the  program  counter  sites,  executing  the  A,  [98],  In 
this  context  quantum  gates  are  easy  to  express:  a  +  a*  corresponds  to  NOT,  a*a(b  +  b*) 
+  aa*  to  XOR,  and  so  forth.  At  the  time,  however,  the  utility  of  such  a  construct  was 
unclear.  This  remained  to  be  the  case  for  nearly  10  years. 

C.  THE  QUANTUM  FOURIER  TRANSFORM 

Indeed,  there  is  a  vast  gulf  between  models  of  universal  computation  or 
metaprograms  and  specific  algorithms;  despite  an  early  recognition  of  the  basic  problem 
of  how  to  generate  constructive  interferences  in  order  to  do  anything  useful  with  a 
quantum  computer,  no  real  progress  in  this  area  was  made  until  the  discovery  (prompted 
by  Shor’s  work)  of  a  realistic  quantum  Fourier  transform  (QFT)  by  Coppersmith  [44]  and 
independently  by  Deutsch  [47].  The  QFT  is  a  prototypical  building  block  for  quantum 
algorithms,  and  its  central  role  can  hardly  be  understated. 

The  quantum  Fourier  transform  on  n  qubits  is  basically  the  Fourier  transform  on 

v 
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It  can  alternatively  be  described  by  the  series  composition  of  quantum  gates 


where 


2n  -1  \  „  k~\  n 

B=  I  2n-\-k')(k’\  Wk  =  0  Id:®W  0  0  Id j, 
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(note  that  B  is  a  bit  reversal;  this  evokes  the  classical  ITT  [88]). 

In  practice  (so  to  speak)  the  5-gates  are  simply  discarded  for  small  associated 
phases,  resulting  in  a  realizable  QFT  [44],  In  fact,  it  turns  out  that  the  approximate  QFT 
can  actually  improve  performance  for  periodicity  estimates  in  the  presence  of 
decoherence  [7].  Finally,  it  is  worth  noting  that  the  QFT  and  Walsh-Hadamard  transform 
act  identically  on  |0). 

Various  generalizations  of  the  QFT  have  been  outlined.  For  example,  a  quantum 
wavelet  transform  has  been  developed  [52].  Kitaev  [83]  constructed  an  analog  of  the  QFT 
for  finite  Abelian  groups  (actually  cyclic  groups  Zp  of  prime  order;  however,  by  the 
fundamental  theorem  of  abelian  groups  [54],  this  is  sufficient).  A  quantum  network  of 
gates  could  be  designed  to  perform  such  a  transform  efficiently  along  lines  not  entirely 
dissimilar  to  the  Coppersmith  construction.  In  general,  a  QFT  runs  exponentially  faster 
than  a  classical  FFT — indeed,  the  QFT  requires  only  a  quadratic  number  of  gates;  this 
improvement  over  the  0(n2n)  operations  required  for  the  equivalent  FFT  is  a  central 
result  in  quantum  complexity  theory.  Tighter  bounds  on  the  circuit  complexity  of  the 
QFT  can  be  found  in  [42]. 


D.  QUANTUM  ALGORITHMS  FOR  SPECIAL  ORACLE  PROBLEMS 

It  has  long  been  recognized  that  the  augmentation  of  a  classical  Turing  machine 
with  an  oracle  capable  of  addressing  queries  with  respect  to  nonrecursive  functions  (i.e., 
functions  not  specified  by  a  formula  or  algorithm  but  rather  as  a  “black  box”)  would 
allow  the  efficient  solution  of  problems  beyond  the  scope  of  an  ordinary  classical  Turing 
machine  [11].  With  this  in  mind,  Bernstein  and  Vazirani  [22],  Deutsch  and  Jozsa  [46], 
and  Simon  [125]  exploited  quantum  parallelism  to  exhaust  an  oracle  and  thereby  arrive  at 
quantum  algorithms  with  better  performance  than  is  classically  possible.  To  illustrate  the 


nature  of  the  oracle  problem  in  quantum  computing  we  sketch  the  Deutsch-Josza 
algorithm  (DJ). 

The  context  of  DJ  is  specified  by  a  nonrecursive  function  / :  Z  ->  Z2  which  is 
promised  or  assumed  a  priori  to  be  either  the  zero  function  or  to  take  each  of  the  values  0 
and  1  2""'  times  (in  which  case  we  refer  to  it  as  balanced).  DJ  differentiates  between  the 
two  cases  as  follows: 

•  Step  0:  Initialize  an  n  +  1  qubit  string  |0...0)|1)  (we  could  also  write  this  as 

|0)|1». 

•  Step  1 :  Apply  the  Walsh-Hadamard  transform  to  each  register  to  get 

7r  §i)®^'(l0>‘l1»  • 

•  Step  2:  Apply  the  function  via  |  ;)|  j }  |  i) |  j  ©  /(/))  to  get 

since 

^=2|'(-i)/(,)i  o  ®  ^(i  o  ©  m  - 1 1  ®  /(o)) = 2|i ')  ®  ^(i  o)  - 1 1» . 

•  Step  3:  Invert  the  Walsh-Hadamard  transform  on  the  first  register  to  get 

.  f|0)  if/iszero 

where  I  dj)  =  \ ' 

||fo)vi|0)  if/is  balanced 

•  Step  4:  Measure  the  first  register. 

Because  of  our  assumption  that  the  function  is  either  zero  or  balanced,  we  can  determine 
with  probability  1  the  answer  to  the  question  of  which  type  of  function  we  actually  have 
after  performing  the  DJ  algorithm.  This  is  somewhat  unusual  and  is  an  artifact  of  the 
“promise”  made  in  the  problem.  It  is  noteworthy  that  a  classical  solution  to  the  problem 
requires  0( 2”-1)  steps. 

Simon’s  algorithm  is  in  the  same  spirit  as  DJ  but  is  also  slightly  more  subtle.  For 
a  nonrecursive  function  / :  Z2„  Z2„  which  is  assumed  a  priori  to  be  one  of  the  two  cases, 

Simon’s  algorithm  determines  (by  using  the  QFT)  whether/is  one-to-one  or  two-to-one 
[4],  [125].  Despite  the  exponential  speedups  these  algorithms  offer,  however,  they  are 
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essentially  toy  models;  the  recent  surge  in  interest  in  quantum  computation  derives  from 
a  far  more  useful  quantum  algorithm. 
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in.  FACTORING  ON  A  QUANTUM  COMPUTER 


A.  SHOR’S  ALGORITHM 

Factoring  is  hard  and  important;  we  devote  Appendix  A  to  the  explanation  and 
ancillary  results. 

Shor  [122]  devised  an  ingenious  method  for  factoring  based  upon  two  principles: 
one  a  known  number-theoretical  technique  [104],  the  second  quantum-computational.  We 
outline  his  results  correspondingly. 

If  we  have  a  number  N  (which  we  assume  not  to  be  a  prime  power)  and  the  order 
r(x)  (i.e.,  the  smallest  integer  r(x)  such  that  xr(x)  =  1  mod  N)  of  any  element  x  in  the 
multiplicative  group 

Z*N  =  [a  e  Zw|gcd(a,  N)  =  l}  , 

we  can  consider  gcd(xr<x>/2  -  1 ,  N)  for  x  random  and  such  that  xHx)/2  mod  N^N  -  1  and  r(x) 
=  0  mod  2.  In  this  event  it  follows  that  since  (xHm  -  1)  (xHx>/2  +  1)  =  0  mod  N  we  obtain  a 
nontrivial  factor.  Shor’s  algorithm  determines  the  order  r(x)  as  follows: 

•  Step  0:  Initialize  a  2 n  (where  N  <  2")  qubit  string  |0,  0). 

•  Step  1 :  Apply  the  QFT  to  the  first  register  to  get 


■ 


Step  2:  Compute  xf  mod  N  by  using  quantum  gates  that  efficiently  perform 
binary  modular  exponentiation  for  fixed  x,  N  built  into  the  gate  structure — 
which  can,  in  turn,  be  efficiently  constructed  from  gates  performing  binary 
modular  addition  (such  gates  are  described  in  [10],  [53],  [132])  for  each 
element  of  the  superposition: 


^Lg^-mod*)  ' 

Step  3:  Apply  the  QFT  on  the  first  register  to  get 
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•  Step  4:  Measure  both  registers. 

The  probability  of  measuring  the  state  |  c,xa'  mod  A'^>  is  given  by 


Tr^c,x°  mod/V^c,*"  mod//||vt')(T|j 
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where  { r(x)c }  =  rc  mod  2",  -2"  1  <  {r(x)c}  <  2”"'.  If  | { r(x)c } |  <  r(x)/ 2,  it  turns  out  that  this 
probability  is  approximately 
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where  we  have  neglected  lower  order  terms.  In  the  limit  of  large  N  (and  hence  n ),  the 
probability  distribution  becomes  a  Dirac  comb  with  spikes  at  values  of  c  where  there 
exists  d  such  that  c  =  |_<727  r(x)J.It  follows  that  [since  as  can  be  shown  there  are  r<p(r ) 
spikes]  the  probability  of  measuring  a  spike  state  is  asymptotically  [70] 

4r<p(r)  8 

r27t2  _;r2loglogr 

for  a  constant  S.  Therefore,  in  principle  the  measurement  problem  is  solved  at  this  point, 
and  from  a  measurement  of  a  spike  we  can  determine  the  order  r(x)  using  techniques  of 
continued  fractions  [70],  [86]. 

Taking  into  account  repeated  trials,  Shor’s  algorithm  requires  0((log  N)7  loglog  N 
logloglog  N)  =  0(n2  log  n  loglog  n)  steps;  additional  polynomial  post-processing  time  is 
necessary  to  efficiently  determine  a  factor  from  the  order  of  a  suitable  element 
classically.  The  majority  of  the  quantum  processing  time  is  spent  in  performing  modular 
exponentiation;  more  efficient  techniques  for  this  can  further  enhance  Shor’s  algorithm. 

B.  FACTORING  AS  AN  INSTANCE  OF  THE  ABELIAN  STABILIZER 
PROBLEM 

Kitaev  [83]  generalized  the  factoring  and  discrete  logarithm  (Appendix  A) 
problems  in  the  context  of  the  abelian  stabilizer  problem  (ASP):  given  an  action  a  of  Z* 
on  M  <z  ZJ,  that  is,  given  a  :Zk  xM  -*  M  with  as+l,(a)  =  apah(a),  determine  a  basis  of  the 
stabilizer  Sta(a )  s=  [g  :  as(a)  =  a).  The  problem  is  well  posed  since  the  stabilizer  is  a 
finite-rank  subgroup  of  Z*  [54],  To  see  that  factoring  is  an  instance  of  the  ASP,  consider 
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M  =  ZN,  G-  Z*N  and  an  action  defined  by  axm(a)  =  xma.  In  this  context  a  basis  of  the 
stabilizer  Sra(l)  gives  the  order  r(x). 

We  present  a  sketch  of  the  quantum  AS  algorithm  for  factoring.  Consider  first  the 
quotient  group  E  =  Z/Sta(l)  =  Zr{x)  and  its  character  group  [100]  E  of  homomorphisms 
from  E  to  the  circle.  A  character  %h  *s  now  characterized  by  a  rational  number  h/r(x) 
between  0  and  1  [i.e.,  to  specify  a  homomorphism  xh  from  a  cyclic  group,  which  we  can 
represent  as  roots  of  unity,  to  the  circle  we  need  only  the  number  (h)  of  times  %h  wraps 
around  the  circle].  Indeed,  a  cyclic  group  is  isomorphic  to  its  character  group  [100]  and 
so  if  we  can  determine  the  wrapping  number,  h,  of  a  generator,  then  the  factoring  ASP  is 
effectively  solved. 

Toward  this  end  we  can  consider  elements  of  E  as  shift  operators  on  the  orbit  of  1 
given  by  Ws{a*(l):meZ}  =  {;E'”};  the  solution  of  (the  factoring  instance  of)  the  ASP 
depends  on  measuring  an  eigenvalue  of  such  a  shift.  Kitaev’s  scheme  uses  for  unitary 
shift  operators  on  ZKx)  with  eigenvectors  |v/,*,r(X))  and  corresponding  eigenvalues  e~2*ih/r{x)  a 
transformation  such  as 
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to  bias  the  control  (second)  register.  By  measuring  enough  of  these  identically  prepared 
states  for  binary  powers  of  a  shift  operator  (and  performing  some  subtle  handwaving),  an 
observer  can  approximate  the  phase  of  an  eigenvalue  to  any  desired  accuracy  with  high 
probability  in  polynomial  time  [4],  [83],  (This  methodology  is  also  employed  for  Kitaev’s 
QFT.)  This  is  an  instance  of  so-called  eigenvalue  estimation,  which  also  appears  in 
algorithms  for  quantum  mechanical  simulation  (see  Section  V.B.),  for  example.  The  final 
step  in  Kitaev’s  algorithm  as  we  present  it  now  is  to  prepare  a  uniform  superposition  of 
all  the  shift  eigenvectors  (which  can  also  be  done  efficiently)  and  use  the  biasing  scheme 
to  measure  a  given  value  h. 
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IV.  SEARCH  ALGORITHMS 


A.  FINDING  A  NEEDLE  IN  A  QUANTUM  HAYSTACK 

It  is  intuitively  obvious  why  a  classical  search  routine  applied  to  an  unstructured 
list  of  N  objects  must  take  at  least  0(N)  steps:  if  our  list  has  no  internal  structure  then  we 
must  perform  an  exhaustive  search.  (If,  on  the  other  hand,  we  can  progressively  subdivide 
our  list,  for  example  in  a  balanced  binary  tree,  then  we  can  perform  a  classical  search  in 
0(log  N)  steps.) 

Grover  discovered  the  amazing  result  that  a  quantum  search  for  such  a  “needle  in 
a  haystack”  could  be  performed  in  0(plN)  steps  [67]  (in  fact,  it  has  been  shown  that  this  is 
also  a  lower  bound  [28],  [136]).  While  perhaps  less  intriguing  on  the  surface  than  Shor’s 
factorization  algorithm,  Grover’s  haystack  search  is  certainly  more  versatile;  the  under¬ 
lying  technique  of  amplitude  amplification  can  be  brought  to  bear  on  a  host  of  problems. 

Grover’s  haystack  search  proceeds  as  follows.  We  are  given  an  oracle  / :  z;->z2 
with  only  one  target  state  t  such  that/(t)  =  1.  Consider  the  states 


X(1®/(0)I0 


1  i=0 


and  the  operator  R  corresponding  to  a  rotation  by  6  =  cos_1(a|u)  on  the  two-dimensional 
subspace  T  spanning  \a )  and  |w)  (equivalently,  |a)  and  |t)).  Furthermore,  denote  by  M]h)  the 
reflection  Id  -  2\b)(b\  about  the  subspace  spanned  by  a  single  state  \b).  Though  we  have 
no  direct  knowledge  of  T,  it  is  clear  by  inspection  that  R2  =  M]h)M\u).  Moreover,  WMP)W  = 
W2  -  2|a)(a|  =Id-  2\a)(a\  =  Mm  =  M|fl>  and  MJi)  =  (~l)m  |i>.  Now  cos  6  =  (a\u)  =  V(2"  - 
l)N2n ,  so  6  ~  sin  6  =  2~nl2,  and  it  follows  that 


Summarizing,  we  can  perform  a  quantum  search  as  follows: 
•  Step  0:  Initialize  a  n  qubit  string  |0). 
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•  Step  1:  Apply  the  Walsh-Hadamard  transform  to  get 

1  2"-] 

I«>=ttXI'>- 

V2  /=n 

•  Step  2:  Rotate  to  get 

K>W^iaH'>  ■ 

•  Step  3:  Perform  a  measurement. 

This  yields  the  correct  state  with  high  probability  (asymptotically  1). 

The  repeated  application  of  a  small  rotation  is  generally  referred  to  as  amplitude 
amplification.  It  is  a  powerful  and  versatile  method.  It  could  be  said  at  present  that  fast 
quantum  algorithms  invoke  an  oracle,  a  QFT,  amplitude  amplification,  or  eigenvalue 
estimation;  as  it  stands,  these  are  the  tools  of  the  trade  in  quantum  computing.  Below  we 
provide  a  sketch  of  the  generalized  Grover  search  algorithm  that  serves  to  illustrate 
amplitude  amplification  in  a  more  general  format. 

B.  GENERALIZED  UNSTRUCTURED  AND  UNSTRUCTURED  PARALLEL 
QUANTUM  SEARCHING 

Grover’s  quantum  search  generalizes  to  multiple  target  states  and  arbitrary 
operators  and  initial  superpositions,  as  shown  by  Gingrich,  Williams,  and  Cerf  [62], 
Therefore,  quantum  search  is  a  viable  subroutine  for  more  general  programs.  Following 
[62],  we  outline  the  algorithm: 

•  Step  0:  Initialize  a  qubit  string 

2-l,!(l<i)|0>-|a)|I»  =  2-*1((|«)-|l»|0)-(|a)-|l))|l)  +  |r)|0)-|r)|l», 
where  |r)  is  the  superposition  of  target  states. 

•  Step  1 :  Apply  the  oracle  to  get 

2'K((|o>-|<»|0)  —  (l«)-|'))IO-|<>|0)  +  |l)|l»  =  2-|'I(|a)|0)-|o)|l)-2(|I)|0)-|0|l»), 

which  is  equivalent  to  applying  the  inversion  operator  Id  -  2\t){t\.  (Though 
equivalent,  this  is  not  the  same  thing:  we  do  not  know  what  the  target  states 
are.) 

•  Step  2:  Pick  an  inversion  state  \b)  and  apply  the  operator  -(Id  -  2\b)(b\)  an 
appropriate  number  of  times  (depending  on  both  the  initial  and  inversion 
states). 
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•  Step  3:  Repeat  Steps  1-2;  after  an  appropriate  number  of  iterations,  perform 
a  measurement. 

In  this  general  setting  there  is  a  phase  condition  that  governs  the  probability  of 
success  for  amplitude  amplification;  this  can  be  used  to  construct  appropriate  inversion 
states  [76]. 

Gingrich,  Williams,  and  Cerf  also  analyzed  punctuation  (premature  halting  after  a 
submaximal  number  of  rotations  or  inversions)  and  parallelization  of  the  generalized 
Grover  search  routine.  They  found  first  that  punctuation  actually  speeds  up  the  routine 
and  is  maximized  (12-percent  fewer  rotations/inversions  than  the  Grover  algorithm, 
which,  it  should  be  recalled,  is  therefore  12-percent  faster  than  the  quickest  possible 
complete  quantum  search)  when  the  probability  of  successful  search  is  84  percent,  and 
second,  that  parallelization,  even  in  the  optimal  case,  is  useful  primarily  as  a  stay  against 
decoherence;  indeed,  since  the  gain  in  time  turns  out  to  be  o[4k)  for  a  parallel  quantum 
search  by  k  quantum  computers,  the  cumulative  time  of  the  parallel  search  actually 
exceeds  that  of  a  single-agent  search  by  a  factor  o(Vfc). 


C.  STRUCTURED  QUANTUM  SEARCHING 


Hogg  [74]  noted  that  the  potential  of  quantum  computation  is  difficult  to  evaluate 
on  the  basis  of  overly  specific  (e.g.,  factoring)  or  general  (e.g.,  unstructured  search) 
algorithms.  An  intermediate  problem  in  this  context  is  the  so-called  random  K-SAT 
(satisfiability)  problem  [81],  in  which  a  solution  to  a  formula 


F  =  aC ■  =  A  V  bm 

>'=i  >'=|J(0=1 


satisfies  all  m  clauses  of  logical-ORs  and  NOTs  of  K  (of  n  total)  Boolean  variables.  Here, 
the  b- terms  denote  literals  (i.e.,  either  a  variable  or  its  negation,  with  equal  probabilities). 
Varying  the  ratio  of  clauses  to  total  variables  leads  to  a  phase  transition  in  the  problem 
difficulty  [82],  [105]:  if  this  ratio  is  small,  then  many  solutions  exist  and  the  problem  is 
easy;  if  it  is  large,  then  no  solution  exists  and  the  decision  problem  [11]  is  easy.  For 
intermediate  values,  however,  the  problem  is  difficult.  Hogg  studied  quantum- 
computational  approaches  to  isT-SAT  for  the  maximally  constrained  case  (i.e.,  for  the 
largest  number  of  clauses  possible  in  order  to  retain  a  solution)  [73]  and  near  the  phase 
transition  [74], 


(The  random  K- SAT  problem  has  recently  been  extensively  investigated.  In 
particular,  composite  problems  interpolating  between  K  =  2  [which  has  a  linear  time 
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solution]  and  K  =  3  [which  is  NP-complete]  and  the  accompanying  phase  transition  [82], 
[105]  have  been  the  source  of  considerable  interest  owing  to  their  status  as  transitional 
prototype  problems.) 

The  general  method  of  attack  for  such  a  problem  is  to  perform  a  quantum  search 
of  partial  solutions  and  use  this  to  restrict  the  remainder  of  the  search  space  [36]. 
Restricting  the  search  space  improves  classical  and  quantum  algorithms  by  raising  the 
execution  time  of  both  to  the  same  power  a  <  1 ;  the  quadratic  speedup  afforded  by 
Grover’s  algorithm  for  haystack  searches  holds  for  structured  searches.  (Search 
algorithms  which  run  in  linear  time  classically — such  as  maximally  constrained 
K- SAT — experience  a  speedup  to  constant  time  [73].)  Successive  restrictions  do  the 
same,  with  progressively  smaller  exponents.  In  this  sense  the  structured  search  can  be 
seen  as  a  generalized  dynamic  tree  search,  with  the  limiting  case  of  a  fixed  (e.g.,  binary) 
tree  search  requiring  logarithmic  time  (which  is  consistent  with  the  power-law  scaling). 
With  this  in  mind,  the  quadratic  speedup  may  be  said  to  be  a  universal  feature  of  quantum 
versus  classical  structured  search  methods  [29],  [36]. 

It  is  interesting  that  spin  glass  models  have  been  applied  to  the  study  of  random 
K- SAT  [24],  A  vast  undiscovered  country  with  the  potential  to  provide  feasible  solutions 
to  general  hard  problems — as  well  as  fundamental  information  on  the  difficulties  and 
limits  of  computation — lies  at  the  confluence  of  spin  glasses,  satisfiability  and  other  hard 
problems,  and  quantum  computation.  In  particular,  analyses  of  heuristic  searches  and 
optimization  routines  hold  promise  for  evaluating  quantum  computation  [74],  [75],  Such 
heuristics  can  also  find  application  in  (e.g.)  the  traveling  salesman  problem  [75]  and 
game-theoretic  routines  (e.g.,  minimax  or  checkmate  searches);  the  possibility  of 
performing  wargaming  or  logistical  computations  on  quantum  computers  merits 
examination.  Even  a  protocol  for  appointment  scheduling  exists  [32], 
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V.  OTHER  SELECTED  ALGORITHMS 


A.  INTEGRATION 

Abrams  and  Williams  [3]  have  refined  a  novel  technique  of  Grover  [68]  for 
approximating  integrals  (equivalently,  the  mean  of  a  sequence)  iteratively  on  a  quantum 
computer.  Their  approach  is  not  dissimilar  to  the  Monte  Carlo  method  of  integration 
(where  the  integral  is  approximated  by  the  function  values  at  random  points)  but  offers  a 
quadratic  speedup  over  it  (and  a  speedup  over  deterministic  methods  that  is  exponential 
in  the  dimension  of  the  function  space);  indeed,  their  method  is  based  on  the  same 
amplitude  amplification  principle  as  a  quantum  search  algorithm. 

Let  E  be  an  estimated  value  of  S = (/) ,  the  average  of  a  step  function  (without  loss 
of  generality  assumed  to  have  range  contained  in  the  unit  interval  over  a  uniformly 
subdivided  unit  d-cube): 


1  M  1  M 

S  =  ~fJ  I  f{al/M,a2/M,...,aJM)  =  —r  X/(a„a2 . ad)  . 


Put  D-S-E  and  g  =  f -E,  so  that  £>  =  (#). 

Use  the  Walsh-Hadamard  operator  to  prepare  the  state 


I - J  jC|ai»a2>"->aii 

V  M  aj,«2 . ad=i 


and  apply  a  rotation  to  the  second  register  to  get 


V  M  a\,a2,...  ,Orf=i 


1)\0)  +  g(al,a2,...,ad)\al,a2,...,ad)\ l)  , 


and  apply  the  inverse  Walsh-Hadamard  operator.  It  so  happens  that  the  probability  of 
observing  |0)|  1)  is  D.  By  performing  the  above  procedure  from  scratch  enough  times  we 
can  therefore  determine  D  (and  hence  E  and  thence  S ).  If,  however,  we  consider  the 
rotation  of  the  first  qubit  as  the  rotation  in  a  quantum  search  algorithm  and  |0)|1)  as  our 
target  state,  we  can  perform  an  amplitude  amplification  by  repeating  this  sequence  of 
operations.  This  is  quadratically  faster  than  sampling — of  order  the  inverse  (as  opposed 
to  the  inverse  square)  of  the  desired  accuracy. 
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Alternatively,  quantum  counting  [29],  a  variant  of  amplitude  amplification,  can  be 
used.  In  this  scenario  an  auxiliary  parameter  q  with  integer  values  from  1  to  Q  (deter¬ 
mined  by  the  desired  degree  of  accuracy)  is  introduced  so  that  the  mean  of  the  Boolean 
function 


b(al,a2,...,ad,q)s 


q<Q-f(a,,a2 

q>Qf{at,a2 


au) 

aa) 


equals  S.  The  number  r  of  solutions  of  b  =  1  can  be  counted  by  invoking  amplitude 
amplification  because  the  amplitude  of  a  single  rotation  turns  out  to  be  proportional  to  the 
square  root  of  r.  If  a  superposition  of  states  corresponding  to  successive  powers  of  the 
basic  amplifying  rotation  is  created,  then  r  can  be  determined  by  performing  a  QFT  on  a 
register  indicating  the  power  or  number  of  rotations.  (See  V.B  for  a  similar  procedure  in 
the  context  of  eigenvalue  estimation  as  applied  to  quantum  mechanical  simulation.)  The 
performance  of  this  algorithm  also  scales  inversely  to  the  desired  accuracy.  Details  can  be 
found  in  [3], 


As  it  turns  out,  the  principal  difficulty  with  Monte  Carlo  integration  and  classical 
implementations  of  probabilistic  algorithms  in  general  is  generating  truly  random  points: 
as  Knuth  points  out  [88],  generating  even  suitably  good  pseudorandom  values  is  very 
difficult  (it  could  be  said  that  all  the  cryptographers  in  the  world  have  failed  to  devise  a 
pseudorandom  number  generator  which  performs  well  enough  to  satisfy  themselves).  It  is 
also  interesting  that  the  runtime  of  the  Monte  Carlo  method  and  general  amplitude 
amplification  algorithms  depend  not  on  the  size  of  the  problem  per  se  but  rather  on  the 
desired  accuracy  (a  function  of  the  number  of  measurements  required  for  a  sufficiently 
high  probability  of  getting  the  correct  answer,  which  will  in  some  sense  depend  on  the 
problem  size). 


B.  SIMULATION  OF  LOCAL  QUANTUM  SYSTEMS 

Quite  possibly  the  most  important — and  most  immediately  realizable — 
application  of  quantum  computing  is  the  purpose  which  Feynman  originally  envisioned: 
simulating  quantum  mechanics  [96],  Lloyd  [95]  provided  the  basic  theoretical  framework 
for  directly  simulating  any  local  quantum  system  (such  as  an  Ising  [63],  [93]  or  lattice 
gauge  [110]  model)  with  an  exponential  improvement  over  classical  simulation. 
Interestingly,  the  converse  is  commonplace:  quantum  computers  are  frequently  simulated 
via  Ising  spin  models. 
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Lloyd’s  basic  setup  is  as  follows.  A  local  quantum  system  with  Hamiltonian 

*  =  . 

7  =  1 

such  that  each  term  in  the  sum  acts  on  a  local  Hilbert  space  of  finite  dimension 
dj  =  dim(supp(M-H/))  and  has  a  time-evolution  operator  which  is  decomposed  over  short 
time  intervals  via  the  Campbell-Baker-Hausdorff  formula  [1 17]: 


where  simulating  each  operator  eH,kt  requires  O^dj'j  operations.  Under  this  decom¬ 
position  the  total  number  of  operations  for  the  time  evolution  operator  is  o(tl  max^/Ar); 
with  this  in  mind,  we  require  that  the  number  l  of  terms  in  the  Hamiltonian  should  scale 
as  a  polynomial  function  of  the  number  of  variables  or  particles.  Moreover,  we  can  use 
this  complexity  analysis  to  specify  the  number  (n)  of  time  slices  required  for  a  simulation 
of  a  given  accuracy.  Finally,  this  formalized  scheme  can  accommodate  environmental 
interactions  either  by  including  extra  terms  in  the  model  Hamiltonian  or,  more  elegantly, 
by  simply  scaling  the  computer’s  environment  suitably  and  exploiting,  say,  decoherence 
in  the  physical  system  to  simulate  decoherence  in  the  model  system. 

In  [1]  Abrams  and  Lloyd  also  outlined  an  efficient  polynomial  algorithm  for 
producing  an  antisymmetrized  superposition  of  states  representing  the  initial  state  of  a 
fermionic  system  of  k  particles,  which  can  then  be  time-evolved  as  above.  As  an  alter¬ 
native,  they  propose  a  model  based  on  a  quantum  field-theoretic  or  second  quantized 
[110]  formalism  which  is  sometimes  in  principle  (i.e.,  when  the  number  of  particles  k  « 
m,  where  m  is  the  number  of  single  particle  states)  more  efficient,  owing  to  the  Pauli 
exclusion  principle  and  the  concomitant  encoding  of  the  state  of  the  fermionic  system 
into  a  bit  vector  of  length  m.  The  field-theoretic  formulation  and  its  corresponding  time 
evolution  are  more  involved,  however;  refer  to  [1]  for  the  details. 

Abrams  and  Lloyd,  following  Cleve  et  al.  [41],  also  proposed  a  more  explicit 
methodology  for  using  the  QFT  to  find  eigenvalues  and  infer  eigenvectors  of  evolution 
operators  (hence  also  of  Hamiltonians)  in  polynomial  time  [2],  We  sketch  the  procedure 
for  determining  the  eigenvalues. 

•  Step  0:  Initialize  a  qubit  string  \0)\y/)  of  length  m  +  l  ,  where  |t/^)  is  an 
approximate  eigenvector  of  the  time  evolution  operator  U  =  e~m' : 

| {<t>k\v)[2  =  °{p°iy(1))  > 
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where  <pt,  Xk  =  e'“‘  are  the  eigenvectors  and  eigenvalues  of  U.  (Such  an 
approximate  eigenvector  can  be  generated  in  polynomial  time  by  invoking  a 
classical  approximation.) 

•  Step  1:  Apply  the  QFT  on  the  index  register,  obtaining  the  state 


-JFfl. 


XU)k) 


Step  2:  Produce  the  state 


4r  >-» 


'L\JPJ'L{h 


)  = 


1(^)1^%) 


by,  for  example,  binary  exponentiation  of  the  evolution  operator  conditioned 
on  the  first  register.  (This  step  is  reminiscent  of  quantum  counting,  cf.  IV.A.) 

•  Step  3:  Apply  the  QFT  on  the  index  register  again  to  get 


*  k)  X  e“°u\ «)|  h ) = X (h 

j,n-  0  ^  k 

Step  4:  Perform  a  measurement  on  the  index  register.  The  probability  of 
measuring  \<pk)  is 


WX 


+2  mill"1 ) 


V)  K) 


l(^k)|2  • 

A  polynomial  number  of  repetitions  then  gives  the  eigenvalues  satisfying  the 
approximation  requirement  in  Step  0  with  an  accuracy  which  scales  as  2~m.  By 
performing  the  CBH  decomposition  as  above,  the  evolution  operator  can  be  realized  and 
the  problem  solved  in  polynomial  time. 

Kitaev’s  algorithm  [83]  is  in  the  same  spirit  as  the  Abrams-Lloyd  algorithm:  both 
are  instances  of  the  eigenvalue  estimation  meta-algorithm.  The  latter,  however,  can  be 
exploited  to  determine  physical  quantities  which  are  also  functions  of  the  eigenvectors, 
such  as  charge  density  and  momentum  distributions  or  correlation  functions  [2]. 


C.  QUANTUM  CELLULAR  AUTOMATA 

It  has  long  been  known  that  cellular  automata  (CA) — and  particularly  reversible 
CA — are  universal  models  of  computation  [61],  [131].  As  a  consequence,  certain  so- 
called  lattice-gas  cellular  automata  (LGCA)  and  related  ballistic  systems  can  perform 
computation  as  a  manifestation  of  their  quasi-physical  dynamics  [39].  Therefore,  it  is 
natural  in  this  context  to  wonder  whether  a  direct  physical  incarnation  of  a  CA  (or 
LGCA)  can  be  realized. 
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It  so  happens  that  quantum  cellular  automata  (QCA)  and  quantum  lattice  gas 
automata  (QLGA)  can  be  defined  [103].  The  collision  operator  or  transition  rule  is  given 
as  a  sort  of  S -matrix  which  acts  on  superpositions  of  incoming  states  and  yields  super¬ 
positions  of  outgoing  states  at  each  time  step,  rather  than  a  deterministic  or  probabilistic 
rule  operating  on  fixed  states  which  cannot  be  superposed. 

LGCA  such  as  the  FHP  hydrodynamical  models  and  the  lattice-Boltzmann 
models  obtained  by  averaging  the  quantities  in  the  collision  operator  thereof  [39]  can 
simulate  instances  of  the  Navier-Stokes  equations.  In  much  the  same  way,  QLGA  can 
simulate  the  A-body  Schrodinger  equation  [24]  or  the  A-body  Dirac  equation  in  one 
dimension  [58],  [103].  (Interestingly  enough,  QCA  have  even  been  considered  as  a 
vehicle  to  simulate  N avier-Stokes  [135].) 

The  details  of  simulating  the  A-body  Schrodinger  equation  in  d  dimensions  are 
involved;  for  them  refer  to  [25],  The  generic  dynamics  are  given  by  equations  of  the  form 

Vi,. ..if,  (*1  +  £Cl,...,XN  +  ecN,t+  l)  =  SitJi  X)/ ,  r)  , 

kj 

where  a:,  is  a  lattice  vector.  (A  general  LGA  can  also  be  put  in  this  form;  the  key  is  that 
the  collision  operator  here  is  an  S-matrix  and  not  a  classical  “billiard-ball”  collision 
operator  such  as  arises  in,  e.g.,  FHP  models.)  It  is  worth  noting  that  this  model  allows  for 
the  inclusion  of  a  general  potential  (via  multiplication  of  the  S-matrix  by  a  position- 
dependent  phase)  and  for  hard-Bose  or  Fermi  statistics. 

Interest  in  QCA  is  not  just  related  to  physical  simulation,  however.  The 
universality  properties  of  automata  suggest  architectures  for  actual  quantum  computers  in 
much  the  same  way  that  the  universal  Turing  machine  might  have  suggested  a  real 
computer  using  a  magnetic  tape.  Benjamin  and  Johnson  [14]  have  developed  a  prototype 
scheme  for  quantum  computation  that  exploits  conventional  as  well  as  quantum 
parallelism  by  considering  various  types  of  qubits  or  “cells.”  A  certain  cell  type  is 
associated  with  a  distinct  energy  gap  between  its  two  states;  the  gate  architecture  in  the 
prototype  is  given  by  the  spatial  configurations  of  various  cell  types  into  networks. 
However,  the  geometry  of  the  network  per  se  is  inessential;  the  key  is  where  the  various 
cell  types  are  located  within  the  geometry. 

If,  though,  we  can  consider  multiple-state  quantum  systems  (“qubytes”)  such  that 
we  can  restrict  the  allowable  states  selectively  and  independently  from  qubyte  to  qubyte 
in  a  reasonable  manner,  we  can  avoid  building  a  specialized  network  for  any  one 
particular  algorithm.  (This  generalization  is  analogous  to  the  relationship  between,  say,  a 
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mechanical  differential  equation  solver  and  a  PC  loaded  with  a  differential  equation 
software  package.) 

A  specific  example  of  such  a  cellular  quantum  computer  utilizes  two  types  of 
cells  and  (essentially)  six  local  updates;  this  setup  is  sufficiently  general  to  provide  a 
universal  quantum  computer  which  can  be  massively  parallelized  spatially  (“pipelined”). 
By  performing  massively  parallel  independent  amplitude  amplifications  and  sequentially 
measuring  the  network  output  nodes  as  successive  amplifications  take  place  on  the 
remainder,  the  runtime  of  a  search  would  reduce  in  line  with  the  later  results  of  [62]  for 
optimal  parallel  search. 
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VI.  QUANTUM  INFORMATION  THEORY 


A.  QUANTUM  COMMUNICATION  CHANNELS 

Consider  for  the  moment  a  classical  (n,  k )  linear  binary  code  C  (Appendix  B).  In 
this  context,  error  correction  and  decoding  are  deterministic  processes.  That  is,  a  given  k- 
block  has  a  unique  associated  codeword  (i.e.,  a  canonical  representative  of  the  code  co¬ 
set  of  which  the  block  is  a  member)  which  is  then  transmitted,  received,  and  decoded 
uniquely.  If  the  transmitted  and  received  n-blocks  belong  to  the  same  co-set  of  the 
equivalence  relation  induced  by  C,  then  the  error-correction  mechanism  will  succeed. 

In  the  quantum  regime,  we  can  consider  the  coding  problem  in  an  ensemble  as 
well  as  the  possibility  of  decoding  errors  (note  that  encoding  errors  and  transmission 
errors  are  effectively  the  same  thing).  Now  the  channel  can  be  represented  by  the  5- 
sequence: 

S :  9fk  ®  rKn~k  — » jfn  — — ¥  Jf"  — 3fk  ®  j{"~k  — #•"  — £_*  #-*  (g>  #•»-*  > 

where  the  last  two  stages  of  the  sequence  may  repeat  several  times  if  detectable  errors 
occur  during  the  decoding  process.  The  operators  are  unitary  and  act  on  the  n-qubit 
Hilbert  space,  and  ©  =  £"’.  If  we  assume,  for  example,  that  decoding  is  error  free  and  only 
one-qubit  rotation  errors  (distributed  symmetrically  over,  say,  a  parameter  space 
-1  <  6  <  1)  occur,  the  5-sequence  becomes 

S  =  <D°®R8i  °<E  . 

(The  tacit  assumption  here  is  that  most  of  the  terms  in  the  tensor  product  are  effectively 
identity  operators.) 

Suppose  further  that  the  (classical)  probability  of  a  single  one-qubit  error 
occurring  is  p  (presumably  a  time-dependent  function)  and  that  errors  are  independent. 
Then  the  probability  of  m  one-qubit  errors  is  given  by  a  binomial  distribution,  and  we 
find  that  the  ensemble  output  of  the  channel  can  be  represented  by  an  ensemble  density 
matrix: 


xpr(ifl>°))p|».«).o = ipr(M»x  5>-o  -  py-"'\b(a\j},,){b(a\j}m  \ 

fl-0  o=0  m=()  {;}n| 

Kfl) {;■},„)= sw>o> e ©o § ^  o«|fl,o);  {./},„  =  {;,  < ... < , 

(where  the  strike  through  the  tensor  product  indicates  suppression  of  factors  that  are 
effectively  identity  operators).  The  von  Neumann  entropy  is  defined  for  a  density  matrix 
p  as  H{p)  =  -7>(p log2  p)  (which  is  well  defined  since  the  density  matrix  is  a  positive 
operator  and  the  techniques  of  spectral  functional  calculus  can  be  brought  to  bear  on  it 
[43]).  It  turns  out  [118]  that  the  von  Neumann  entropy  is  the  appropriate  generalization  of 
the  classical  Shannon  entropy  insofar  as  it  is  an  ideal  lower  bound  on  the  expected  length 
of  a  qubit  string  encoding  the  ensemble  described  by  the  density  matrix. 

The  Levitin-Holevo  upper  bound  (see,  e.g.,  [71])  on  the  classical  mutual 
information  is  given  by 


H 


Xpr (a)H(pa)  ; 


if  there  are  no  transmission  errors  in  our  example,  then  the  density  matrices  represent 
pure  states,  the  second  term  vanishes,  and  what  remains  is  just  the  von  Neumann  entropy. 
(However,  the  above  expression  holds  even  when  the  input  states  are  mixed.)  It  was 
shown  in  [71]  that  by  coding  properly  (and  in  the  absence  of  noise)  the  classical  mutual 
information  per  qubit  can  be  brought  arbitrarily  close  to  the  ensemble  von  Neumann 
entropy.  From  this  it  follows  that  the  natural  definition  for  a  quantum  channel  capacity  is 
the  maximum  possible  von  Neumann  entropy  (since  this  is  also  the  maximum  classical 
mutual  information). 

Th e  fidelity  of  our  ensemble  5-sequence  in  our  example  is  now 


F  =  (Tr{(a,0\S\a,0)p)) 

-iZpKI«.0))l7viSp-(l-,r|i(a)M.X‘(«) 
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This  and  like  expressions  are  realistic  gauges  of  a  quantum  error-correcting  code  or  a 
quantum  channel  [84],  and  its  calculation  requires  for  a  given  code  and  signal  ensemble 
only  the  probability  of  a  single  error  occurring  and  a  probabilistic  description  of  a  one- 
qubit  error  operator,  both  of  which  can  be  determined  through  experiment.  Moreover,  it  is 
clear  that  a  similar  (but  more  complicated)  expression  holds  when  allowing  errors  in  the 
encoding  and  decoding  stages  of  the  5-sequence  or  many-qubit  errors.  These  extensions 
are  straightforward.  Not  so  straightforward  is  the  inclusion  of  decoherence  as  a 
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transmission  error,  which  is  of  primary  concern  because  the  process  of  decoherence  is 
effectively  nonunitary  and  in  particular  can  result  in  what  amounts  to  a  non-invertible  S- 
sequence  in  which  the  input  signal  space  is  collapsed  onto  a  subspace.  In  any  case,  our 
definition  of  fidelity  is  essentially  the  average  fidelity  of  [34];  similar  definitions  can  be 
found  throughout  the  literature,  almost  all  with  particular  variations. 

Schumacher  showed  in  [118]  that  a  quantum  analog  of  Shannon’s  noiseless 
coding  theorem  holds.  In  particular,  let  a  quantum  channel  have  the  (quantum)  capacity  C 
and  a  quantum  source  the  entropy  per  unit  time  H.  If  H  <  C,  there  exists  a  coding  system 
such  that  the  output  of  the  source  can  be  transmitted  (but  not  copied)  over  the  channel 
with  a  fidelity  arbitrarily  close  to  unity. 

The  prohibition  against  copying  is  problematic.  The  no-cloning  theorem  [133] 
explains  why  it  exists.  That  is,  suppose  there  exists  a  unitary  operator  U  such  that 
C/(|a)|0))  =  \a)\a )  for  all  | a).  Then,  if  we  have  orthogonal  states  |a)|0),  |Z?)|0),  it  follows  that 
(ignoring  normalizations)  U(|a)|0))  +  U(\b)\0))  =  \a)\a)  +  \b)\b).  But  l/(|a)|0))  +  UQb)\0))  = 
U(\a)\0)  +  |fc>|0»  =  U((\a)  +  |b»|0»  =  (| a)  +  \b))(\a)  +  \ b))  *  |a>|a>  +  \b)\b). 

In  some  other  respects,  however,  quantum  information  offers  advantages  over 
classical  information:  by  sharing  an  EPR  pair  for  each  transmitted  qubit  the  classical 
Shannon  entropy  bound  (though  not  the  von  Neumann  entropy  bound)  can  be  violated  by 
up  to  a  factor  of  2  (less  for  submaximal  entanglement);  this  phenomenon  is  called 
superdense  coding.  The  basic  idea  [17]  is  that  Alice  encodes  a  two-bit  number  by 
applying  one  of  the  (four)  Pauli  matrices  to  her  half  of  an  EPR  pair  and  sending  the 
resulting  state  to  Bob.  By  performing  an  XOR  to  the  entangled  pair  Bob  disentangles  it; 
Bob  can  then  perform  a  measurement  on  the  second  qubit  (which  is  then  either  |0)  or  |1)); 
Bob  then  applies  the  Walsh-Hadamard  transform  to  the  first  qubit  (which  is  then  also 
either  |0)  or  |1)).  As  we  shall  see  below,  superdense  coding  is  related  to  a  dual  protocol 
called  quantum  teleportation. 

B.  QUANTUM  ERROR-CORRECTING  CODES 

Given  that  codes  exist  that  allow  the  faithful  maintenance  or  transmission  of 
quantum  information,  it  is  natural  to  ask  what  form  such  a  code  might  take.  Indeed,  the 
situation  is  much  the  same  in  the  quantum  as  in  the  classical  regime  in  that  the  noiseless 
coding  theorems  do  not  specify  a  coding  scheme.  However,  the  partial  correspondence 
between  classical  and  quantum  information  provides  a  partial  answer. 
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For  example,  although  the  triple  repetition  code  cannot  be  carried  over  into  the 
quantum  regime  wholesale  [because  of  the  no-cloning  theorem,  e.g.,  although  a  (3,  1) 
quantum  quasi-code  is  allowed  which  can  correct  a  restricted  class  of  (Boolean)  errors],  a 
(9,  1)  quantum  code  based  on  it  exists.  Ignoring  normalizations, 

|o)  ->|o}9  =  (|000) + 1 1 1 1))(|  000) + 1 1 1 1))(|  000) + 1 1 1 1)) 

|i)-H  1),  =  (I  ooo)  - 1 1 1 1»(|  ooo)  - 1 1 1 1»(|  ooo)  - 1 1 1 1))  , 

and  if  we  consider  the  (standard)  error  basis  of  Pauli  matrices, 
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(1  0) 

1  ( 0  -0 
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0y 
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then  the  nine-qubit  code  can  correct  any  linear  combination  of  the  errors  in  the  error  basis 
applied  to  a  single  qubit  [121].  That  is,  using  the  parity  or  majority  rule,  the  first  and  third 
terms  in  the  product  can  correct  a  Z  error;  the  second  term  can  correct  an  X  error,  and 
hence  any  one-qubit  or  Pauli  error  in  the  group  generated  by  the  Pauli  matrices  can  be 
corrected.  The  correction  technique  uses  an  ancilla  qubit  that  will,  under  measurement, 
collapse  its  product  with  a  nine-qubit  codeword  into  either  an  error  state  with  an  error 
recorded  in  the  ancilla  (i.e.,  a  syndrome)  or  into  the  original  state  without  a  recorded 
error.  In  either  case,  measuring  the  ancilla  allows  the  determination  of  a  single  error 
which  can  then  be  explicitly  reversed  [66]. 

Calderbank  and  Shor  [34]  and  Steane  [127]  first  developed  the  notion  of  a  general 
quantum  (n,  k)  error-correcting  code ,  which  can  be  defined  as  a  linear  subspace 
C  =  c‘sh‘  of  h  " .  Their  initial  work  introduced  the  CSS  codes  constructed  from  two 
classical  error-correcting  codes  with  OcCjcqcZ!  which  respectively  correct  phase  and 
bit-flip  errors.  The  basic  idea  is  as  follows:  a  CSS  code  is  formed  from  the  derived  states 
(ignoring  normalizations) 

K)=  Xlv  +  vv>  . 

wec2 

where  vec,.  It  happens  that  a  CSS  code  is  a  /-error  correcting  (Mime,  -dimc2)  quantum 
code,  where  /  is  the  smaller  of  the  weights  of  c,,  c.  Under  the  change  of  basis  induced  by 
a  Walsh-Hadamard  transform,  the  code  maps  to  the  dual  code  with  OccjccjcZJ,  and 
the  codewords  themselves  map  as 

tveCj  weCj 


VI-4 


Phase  errors  in  the  original  basis  map  to  bit-flip  errors  in  the  Walsh-Hadamard 
basis  and  vice  versa.  It  therefore  suffices  to  correct  bit-flip  errors  (which  are  the 
analogues  of  classical  errors)  and  perform  Walsh-Hadamard  transformations,  then  finally 
correct  any  remaining  bit-flip  errors. 

Along  with  several  quantum  codes,  bounds  on  quantum  code  parameters  have 
also  been  obtained  (which  have  in  turn  led  to  the  discovery  of  quantum  codes).  In  [34]  a 
lower  bound  acting  as  counterpart  to  the  Levitin-Holevo  bound  on  the  asymptotic  rates  of 
certain  perfect  (i.e.,  having  fidelity  1)  quantum  (n,  k)  /-error  correcting  codes  was 
derived:  k/n  =  l-2H2(2t/n),  where  -H2(x)  =  xlog2 *+(l-*)log2(l-jc).  Moreover,  a  perfect 
quantum  (n,  k)  /-error  correcting  code  must  satisfy  n  >  At  +  k  [83].  In  particular  a  (3,  1) 
perfect  quantum  code  that  corrects  one  error  violates  this  bound  and  hence  cannot  exist. 
However,  a  perfect  (5,  1)  one-error  correcting  quantum  code  exists  [89]: 

|0)->|0)5  =-|00000)  +  |01  111) -|10011)  +  |1 1100) +  |001 10)  + 101001)  +  |10101)  +  |1 1010) 

|1)  -h>|1)5  =  -|lllll)  +  |10000)  +  |01 100) -|00011)  +  |11001)  +  |101 10) -|  01010) -|00101). 

The  decoding  quantum  circuit  for  the  five-qubit  code  is  simply  the  reversed-order 
encoding  circuit.  In  this  respect  the  five-qubit  code  is  significant  in  that  it  saturates  an 
algebraic  bound  and  can  be  realized  with  a  minimum  of  overhead. 

If  now  we  set 


ryk  J 
1  M 


U 


then  the  quantum  Gilbert-Varshamov  lower  bound  is  E(d  - 1)  =  E(2t)  <  1 ,  which  reduces  in 
the  limit  of  large  n  with  kin,  tin  fixed  to  k/n<  1  -  log2  3  •  2z/n  -  H2(2t/n).  It  can  be  shown  that 
if  the  Gilbert-Varshamov  bound  holds,  then  there  exists  a  quantum  (n,  k)  /-error 
correcting  code  [35]. 

The  quantum  Hamming  bound  (the  analog  of  the  classical  Hamming  or  sphere¬ 
packing  bound  [112]  obtained  by  considering  rather  than  one  classical  one-bit  error  three 
distinct  possible  single-qubit  or  Pauli  errors)  is£(z)<l.  Although  the  quantum  Hamming 
bound  holds  for  nondegenerate  codes  (those  codes  for  which  all  errors  are  distinguishable 
from  one  another),  it  is  not  known  whether  it  applies  more  generally.  In  [64],  Gottesman 
showed  that  a  class  of  ( 2i,2‘-j-2 )  1-error  correcting  quantum  codes  saturating  the 
quantum  Hamming  bound  exists. 

Quantum  error  correction  can  be  placed  under  the  broader  umbrella  of  fault- 
tolerant  quantum  computing',  this  also  encompasses  roles  such  as  robust  gate  application 
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in  the  presence  of  errors  (the  requirement  for  which  was  hinted  at  in  our  previous 
discussion  of  quantum  channels)  and  entanglement  purification  or  distillation.  The 
interested  reader  is  referred  to  [20],  [65],  [113].  Other  quantum  codes  (e.g.,  quantum 
stabilizer  codes)  have  been  developed;  some  are  touched  on  in  [35],  [65], 

C.  QUANTUM  KEY  DISTRIBUTION 

Before  serious  consideration  was  ever  given  to  quantum  computation,  quantum 
cryptography  was  being  explored  as  an  instance  of  the  power  of  quantum  information: 
asymmetric/public-key  schemes  such  as  RSA  suffer  from  an  inherent  susceptibility  to 
computational  attack  (Appendix  A),  whereas  symmetric/private-key  schemes  such  as 
DES  or  IDEA  suffer  from  this  and  the  key  distribution  problem:  if  the  key  to  a  symmetric 
cipher  could  already  be  securely  transmitted,  then  there  would  be  no  point  in  actually 
transmitting  it  [99],  Of  course,  in  practice  what  is  done  is  generally  either  to  distribute 
keys  locally  and  transport  them  securely  or  to  encipher  keys  using  an  asymmetric  scheme 
(as  is  the  case  with  PGP).  But  neither  one  of  these  procedures  is  invulnerable. 

Furthermore,  there  is  only  one  totally  secure  classical  cryptologic  protocol:  the 
one-time  pad  or  Vernam  cipher  [102],  The  scheme  is  trivial  to  describe.  Let  Alice  and 
Bob  alone  share  a  perfectly  random  bitstring.  To  encrypt  a  message,  Alice  simply  XORs 
it  with  the  random  bitstring;  to  decrypt  the  message  Bob  does  exactly  the  same.  The  one¬ 
time  pad  is  in  fact  used  where  absolute  security  is  paramount;  despite  its  simplicity, 
however,  it  is  extremely  difficult  to  implement  in  practice.  For  example,  the  key 
distribution  problem  is  critical,  and  security  demands  that  only  physically  secure  and 
authenticated  key  distribution  is  acceptable.  Moreover,  a  one-time  pad  has  its  name  for  a 
reason:  using  the  same  pad  to  encrypt  two  messages  utterly  compromises  its  security. 
This,  coupled  with  any  but  the  smallest  traffic  volumes,  immediately  renders  one-time 
pads  infeasible  for  most  practical  cryptologic  applications  [102]. 

Quantum  channels  provide  a  way  to  make  an  end  run  around  these  problems. 
Basically,  if  Eve  were  to  attempt  to  intercept  a  quantum  key  transmission  between  Alice 
and  Bob,  she  would  inevitably  alter  the  key — and  Alice  and  Bob  can  use  a  protocol 
which  exploits  this  property  and  subjects  the  transmitted  and  received  keys  to  joint 
statistical  tests  which  establish  the  security  of  the  transmission.  Hence,  quantum  key 
distribution  (QKD)  provides  security  based  on  the  laws  of  physics  rather  than  the 
supposed  computational  infeasibility  of  inverting  one-way  functions  or  of  exhaustively 
searching  the  keyspace  of  a  cryptosystem  (which  would  be  an  ideal  problem  for  a 
quantum  computer). 
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We  sketch  the  basics  of  the  BB84  QKD  protocol  [16]  here.  Let  |-),  |+)  denote  the 
images  of  |0),  |1)  (with  |-),  |0)  both  corresponding  to  a  classical  0  and  |+),  |1)  both 
corresponding  to  a  classical  1)  under  the  Walsh-Hadamard  transform:  both  the  signed  and 
numbered  key  pairs  form  bases  (denoted  by  R  and  S,  respectively)  for  a  one-qubit  state 
space. 

To  send  a  key,  Alice  and  Bob  perform  the  following  sequence  of  operations  for 
each  bit  to  be  transmitted:  Alice  first  chooses  either  the  R  or  S  basis  at  random  and 
transmits  the  state  corresponding  to  a  random  classical  bit  in  her  chosen  basis.  Bob  also 
chooses  one  of  the  bases  R,  S  at  random — independently  of  Alice — and  performs  a 
measurement.  If  Alice  and  Bob  used  the  same  basis  (and  the  bit  was  not  intercepted  by 
Eve)  then  the  state  encoding  the  classical  random  bit  will  have  been  perfectly  transmitted. 
With  this  in  mind,  Alice  and  Bob  publicly  announce  their  basis  selections  after  all  the 
transmissions  are  complete:  statistically,  half  of  these  will  agree,  and  the  corresponding 
classical  bits  form  their  provisional  shared  secret  key.  To  establish  its  security,  Alice  and 
Bob  now  publicly  announce  some  of  the  bits  of  their  shared  key  (which  reduces  the  key 
length):  if  these  pass  certain  public  statistical  procedures  (such  as  testing  for  a  sufficiently 
low  error  rate  and  subsequent  classical  error  correction)  then  they  conclude  that  the  key  is 
secure,  since  if  Eve  intercepted  the  transmission  and  resent  identical  states  after 
measuring  them  in  one  of  the  bases,  she  would  send,  on  average,  half  her  qubits  in  the 
wrong  basis — and  the  resultant  statistical  anomaly  would  be  detected  by  Alice  and  Bob. 
Finally  a  privacy  amplification  protocol  is  performed  whereby  m  bitstrings  of  length  n 
equal  to  the  key  length  (with  m  <ri)  are  published  and  the  m  parities  of  the  XORS  are 
retained  as  the  final  key  [23]. 

There  are  attacks  on  QKD  protocols  other  than  the  tapping  attack  described 
above.  In  particular,  the  entanglement  attack,  in  which  Eve  entangles  her  interception 
apparatus  with  Alice  and  Bob’s  quantum  channel,  is  problematic.  Similarly,  the  swap 
attack — whereby  Eve  stores  Alice’s  transmitted  quantum  states  and  sends  her  own 
random  states  to  Bob — will  succeed  occasionally,  albeit  with  exponentially  small 
probability.  Of  course,  any  cryptosystem  would  “suffer”  from  the  exponentially  small 
probability  of  an  adversary  correctly  guessing  a  key,  and  so  the  security  of  a  QKD 
protocol  is  really  contingent  only  on  ensuring  that  the  joint  probability  of  the  security  test 
passing  and  Eve  gaining  more  than  an  exponentially  small  amount  of  information  about 
the  key  is  itself  exponentially  small. 

It  has  recently  been  shown  that  several  QKD  protocols  are  unconditionally  secure 
in  this  sense  through  their  relationship  to  a  derived  protocol,  based  on  CSS  codes,  which 
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is  provably  secure  [123].  The  proof  furthers  work  in  [98]  and  [23],  wherein  the 
unconditional  security  of  QKD  protocols  was  demonstrated  along  more  complicated 
lines.  Furthermore,  it  has  been  shown  that  error  rates  of  up  to  7.56  percent  can  give 
asymptotic  security  (with  higher  error  rates  possible  under  protocol  modifications  or 
practical  security  parameters)  [23], 

QKD  and  quantum  error  correction  protocols  can  also  depend  on  entanglement 
distillation  or  purification  schemes  (see  below).  It  is  noteworthy  that  QKD  has  recently 
been  experimentally  realized  over  48  km  fibers  [77]  and  in  daylight  over  1.6  km  [33]. 

D.  EXPLOITING  ENTANGLEMENT:  QUANTUM  TELEPORTATION  AND 
COMMUNICATION  COMPLEXITY 

It  has  been  known  for  some  time  that  transmitting  quantum  information  need  not 
take  place  over  quantum  channels;  indeed,  the  protocol  of  quantum  teleportation  provides 
an  avenue  for  constructing  quantum  states  from  classical  information  [18].  We  omit 
normalizations  throughout  the  following  simplified  outline,  which  otherwise  follows 
[1 14].  If  Alice  has  a  qubit  \(p)  =  a|0)  +  b\\)  which  has  not  been  measured  (so  that  she  has 
no  knowledge  of  a,  b)  and  she  and  Bob  share  an  EPR  pair  |00)  +  |1 1)  (of  which,  say,  the 
first  qubit  is  Alice’s),  then  Alice  considers  the  state  |0)(|OO)  +  |1 1»  =  a|000)  +  a|01 1)  + 
£?|  100)  +  b\  \  1 1).  If  now  Alice  applies  a  XOR  to  the  first  two  qubits  and  then  a  Walsh- 
Hadamard  transform  on  the  first  qubit,  as  in  superdense  (de)coding,  the  three-qubit  state 
becomes 

|00>(fl|0>  +  b\l))  + 11  l)(a|l)  +  b\0))  +  |10>(fl|0>  -  b\\))  +  |1  l)(a|l>  -  b\0)) . 

A  measurement  on  the  first  pair  collapses  the  pair,  the  outcome  of  which  Alice  sends  to 
Bob  classically.  Bob  then  applies  the  Pauli  matrix  corresponding  to  the  result  (Id  for  |00), 
X  for  |01),  Y  for  |10)  or  Z  for  |1 1)).  In  the  end,  Bob  is  left  with  the  state  and  Alice,  in 
accordance  with  the  no-cloning  theorem,  is  left  with  a  known  state  which  does  not 
depend  on  \(f>). 

As  the  case  is  put  in  [18], 

This  would  appear  to  offer  a  more  elegant  means  of  private  communi¬ 
cations  than  previous  quantum  cryptographic  schemes  [BB84,  etc.]  which 
require  the  users  to  publicly  test  some  of  the  data  exchanged  through  the 
quantum  channel,  in  order  to  certify  the  privacy  of  the  rest.  However,  the 
appearance  of  intrinsic  security  is  illusory,  since  an  active  adversary  could 
effectively  tap  into  the  channel  by  intercepting  all  the  particles  on  their 
way  to  and  from  Bob,  substituting  others  in  such  a  way  as  to  impersonate 


VI-8 


Alice  to  Bob  and  Bob  to  Alice.  To  defend  against  this  attack  Alice  and 
Bob  would  also  need  to  publicly  test  some  of  their  data,  rendering  the 
present  scheme  cryptograhically  equivalent  to  previous  schemes,  while 
retaining  its  distinctive  quantum  information-theoretic  feature  of  packing 
two  bits  into  a  single  transmitted  two-state  particle. 

Nevertheless,  teleportation  has  a  distinct  advantage  over  QKD  protocols,  for 
which  Alice  has  to  transmit  quantum  states  at  the  time  she  wishes  to  send  Bob  any 
information.  For  teleportation,  on  the  other  hand,  the  requirement  is  the  advance  distribu¬ 
tion  and  storage  of  entangled  pairs.  Though  this  is  a  technical  obstacle,  overcoming  it  (a 
necessary  step  anyway  for  a  realistic  quantum  computer)  would  tilt  the  balance  of  utility 
decisively  towards  teleportation.  More  generally,  it  could  be  said  that  teleportation  has 
this  intrinsic  advantage  over  any  other  quantum  communication  scheme,  not  least 
because  it  avoids  the  problems  of  time-of-transmission  errors  and  therefore  allows  high- 
fidelity  quantum  communication. 

Indeed,  it  has  been  shown  [19]  that  a  collection  of  shared  impure  entangled  pairs 
can  be  distilled  or  purified  into  a  smaller  collection  of  asymptotically  pure  entangled 
pairs,  which  can  in  turn  be  used  for  faithful  teleportation.  In  this  setting  the  fidelity  is 
replaced  with  the  yield  of  pure  pairs.  The  purification  protocol  requires  only  simple 
quantum  gates  (notably,  a  bilateral  XOR  performed  by  Alice  and  Bob  on  two  entangled 
pairs). 

So  entanglement  can  serve  as  a  surrogate  for  communicating  unknown  informa¬ 
tion;  therefore,  it  is  natural  to  expect  that  it  can  be  likewise  be  exploited  in  the  realm  of 
distributed  quantum  computation  (where  after  all  we  are  dealing  with  states  which  we 
cannot  access  without  a  measurement).  Indeed  this  is  the  case:  Grover  [68]  showed  that  a 
distributed  set  of  coupled  EPR  pairs  could  act  in  parallel  to  compute  the  mean  of  a 
function  (see  also  V.A)  with  minimal  (classical)  communication  complexity. 

Finally,  any  “black-box”  quantum  algorithm  (in  particular,  any  amplitude 
amplification)  can  be  efficiently  realized  as  a  related  communication  protocol.  In 
particular,  search  algorithms  can  be  realized  as  quantum  communication  protocols  which 
offer  the  same  quadratic  speedup.  This  is  the  well-known  “appointment  scheduling” 
result  [32]. 
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VII.  CONCLUSION 


Even  considering  that  this  paper  is  a  survey  of  quantum  algorithms  and  protocols, 
we  have  not  touched  on  several  elements  of  the  general  theory.  As  far  as  specifics  are 
concerned,  we  have  deliberately  omitted  discussion  of  recent  protocols  for  clock 
synchronization  [38],  [81]  because  these  merit  in-depth  study  in  their  own  right.  More 
generally,  we  have  avoided  the  topics  of  physical  systems  for  quantum  information 
devices  (see,  e.g.,  [79],  [128])  and  of  the  impact  of  decoherence  and  errors  on 
implementations  of  protocols  and  algorithms  on  quantum  information  devices  (see,  e.g., 
[37],  [129]).  While  strictly  speaking  neither  is  premature  to  address,  both  of  these  areas 
require  extraordinary  intellectual  overhead,  and  indeed  these  are  precursors  to  the  most 
important  area  of  concern:  applications.  Similarly,  addressing  the  problem  of  spelling  out 
quantum  algorithms  in  circuit  models  as  precursors  to  their  actual  implementation  is  a 
large  undertaking.  Some  basic  scenarios  have  been  examined,  however.  For  example,  a 
proof-of-principle  factorization  of  15  could  be  performed  with  an  ion  trap  quantum 
computer  using  as  few  as  6  qubits  and  38  laser  pulses  [10]. 

The  questions  of  exploiting  Aharon ov-B  ohm  effects  for  error  correction  and  of 
how  to  quantify  multipartite  entanglement  are  also  of  considerable  theoretical  interest  and 
are  as  of  yet  unanswered;  these  and  like  issues  merit  further  analysis. 

Certainly,  if  scalable  quantum  computers  are  built,  then  cryptography  as  we  know 
it  is  dead.  More  generally,  it  is  reasonable  to  assume  that  a  quantum  computer  would  lead 
to  revolutions  in  physical  simulation  with  the  potential  to  transfigure  nanotechnology. 
Other  possible  benefits  merit  consideration  also.  Problems  in  combinatorial  analysis  and 
statistical  decision  theory  [75],  [78]  are  natural  candidates  for  solution  on  a  quantum 
computer.  Further  and  as-yet  undiscovered  applications  surely  exist. 

At  this  point  it  is  appropriate  to  say  some  words  about  whether  a  scalable 
quantum  computer  will  in  fact  ever  be  built.  The  author  believes  that  such  devices  could 
well  be  built  within  20  years.  Regardless  of  whether  this  turns  out  to  be  the  case,  it  is 
certain  that  current  experimental  research  on  manipulating  quantum  systems  will  yield 
dividends.  Quantum  information  has  the  potential  to  reshape  the  world — we  have  seen 
why — and  at  this  point  it  is  important  to  begin  considering  how. 
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HARD  NUMBER-THEORETIC  PROBLEMS 


A.  THE  TROUBLE  WITH  FACTORING 

The  difficulty  of  the  factoring  problem  has  long  been  known.  Eratosthenes  of 
Kyrene  (ca.  250  BC)  provided  the  first  factoring  algorithm:  given  a  composite  number  N, 
proceed  with  trial  division  by  all  prime  numbers  less  than  or  equal  to  its  square  root. 

The  prime  number  theorem  states  that  the  number  of  primes  less  than  or  equal  to 
N  is  asymptotically  k(N)~  N/logN  [100],  and  so  the  sieve  of  Eratosthenes  takes 
asymptotically  as  many  as  Viv  log  2/log  N  trial  divisions  if  we  have  a  precomputed  list  of 
prime  numbers  (the  construction  of  which  would  presumably  also  require  sieving).  Thus, 
factoring  a  1,024-bit  integer  via  this  method  requires  on  the  order  of  2 502  trial  divisions: 
rather  a  lot.  Moreover,  it  should  be  remembered  that  division  is  computationally 
expensive. 

Over  the  millennia  various  advances  in  factoring  have  taken  place.  The  current 
champion  of  factoring  algorithms  is  the  general  number  field  sieve  (GNFS)  [92],  of 
which  we  provide  a  technical  sketch  based  on  the  discussion  in  [31].  The  overall  aim  (and 
computationally  intensive  part,  which  we  will  not  sketch)  of  the  GNFS  is  to  efficiently 
construct  (using  a  root  6  of  a  monic  polynomial  /  with  integer  coefficients)  a. factor  base 
U  in  the  number  field  Q(0)  (obtained  by  adjoining  6  to  the  rational  numbers  and 
considering  the  field  that  is  generated  as  a  result)  consisting  of  algebraic  integers  (i.e., 
roots  of  monic  polynomials  with  integer  coefficients  also  lying  in  Q(0))  [54]. 

Given  such  a  factor  base  U  such  that  the  product  of  its  elements, 

Y[{a  +  bd)  =  a 2  , 

r=a+b6eU 

is  a  square  of  an  element  of  the  ring  Z (G)  generated  by  6  and 

(a  +  bm)  =  c2 

for  integers  a,  b,  c,  and  m  with  f(m)  =  0 mod N ,  it  follows  that  if  we  define  a  subjective 
ring  homomorphism  </>m  :  Z (0)  ZN  satisfying  0,„(l)  =  1,  (p„,(6)  =  m ,  then 
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•**  =  4>^(/'(e)«)2  =  4v((/'(e)«)2  j = $m(f'(e))\m(n(*+  ae)) 

=  (f'[m))  Il{*+  bmj  =  v2  mod  N , 

and  combining  this  with  the  general  “difference  of  squares”  result  that  gcd(*  +  >>,  N) 
divides  N for  x2  =  y2  mod N,  x*y,  we  arrive  at  a  factorization. 

The  GNFS  has  asymptotic  running  time  LAjl/3,(8/3)2/3J,  where 
LN[a,  c]  =  o(exp((c  +  o(l))(log  A^)°(log  log  A,)'““)) 

is  the  Lucas  complexity  class  [102].  Using  this,  we  arrive  at  estimates  of  operation  counts 
required  for  the  GNFS.  If  we  use  as  a  benchmark  1,000  Macintosh  G4  computers  running 
the  GNFS  totally  in  parallel  (the  GNFS  is  highly  parallelizable)  at  1  Gflops  each  and 
identify  this  with  1  G(GNFS)ops,  then  the  corresponding  operation  counts  and  runtime 


order  estimates  are  as  follows: 

Bit  length 

O(Ops) 

O(time)  (s) 

O(time)  (yr) 

512 

264 

1.8  107 

5.6 

1,024 

2 87 

1.31014 

4.2  -107 

2,048 

2H7 

1.5  1023 

4.2 -10'6 

Hence,  factoring,  for  example,  a  2,048-bit  integer  is  computationally  infeasible  using  the 
GNFS. 

A  hard  512-bit  number  (RSA-155)  was  recently  (August  1999)  factored  via  a 
massively  distributed  sieving  effort  using  roughly  300  computers — over  half  of  them 
high-end  workstations — over  the  course  of  7.4  months  (5.2  months  for  sieving  and 
2.2  months  to  select  an  appropriate  monic  polynomial  for  the  GNFS),  plus  the  final 
solution  time  of  the  resulting  massive  sparse  linear  system  via  a  specialized  iterative 
technique  [31],  which  required  roughly  10  days  on  a  Cray  C916  [130]. 

It  is  therefore  reasonable  to  assume  that  factoring  512-bit  numbers  is  well  within  a 
temporal-computational  scope  corresponding  to  a  capital  outlay  on  the  order  of 
$10  million  and  a  year  of  execution  time  for  GNFS  or  a  slightly  better  algorithm.  Under 
these  assumptions,  however,  1,024-bit  numbers  are  still  inaccessible — at  any  price. 
Silverman  notes  in  an  RSA  technical  report  that  the  bit  length  of  the  largest  number 
openly  factored  as  a  function  of  the  year  has  a  linear  fit  ( b  =  14.05[y  -  1970]  +  23)  with 
correlation  coefficient  .955,  where  b  is  the  bit  length  and  y  is  the  year  [124].  Another 
estimate  based  on  extrapolating  Moore’s  law  arrives  at  a  cube  root  fit  which  is  cited  in 
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[124],  Assuming  these  relationships  hold  indefinitely,  we  get  the  following  estimates  of 
the  year  of  factorization  capability  for  a  given  bit  length: 


Bit  length 

Linear  fit 

Moore’s  law 

512 

2,005 

1,999 

1,024 

2,041 

2,018 

2,048 

2,115 

.  2,041 

This  suggests  that  to  factor  numbers  much  larger  than  512  bits  it  is  better  to  wait  for 
developments  in  algorithms  and  computers  than  to  bother  with  the  GNFS. 

B.  RSA 

Factoring  is  not  just  an  academic  exercise;  indeed,  the  security  of  the  nearly 
universal  standard  RSA  public-key  cryptosystem  [115]  hinges  on  the  computational 
infeasibility  of  factoring  large  numbers.  We  present  a  sketch  of  the  number-theoretic 
problem  upon  which  the  RSA  protocols  are  based. 

Alice  puts  an  RSA  modulus  N  =  pq  for  two  large  (and  otherwise  suitable)  prime 
numbers  p,  q  of  equal  or  nearly  equal  length  and  picks  an  encryption  key  e  such  that 

gcd(e,  (p  -  1)(<?  - 1))  =  1 . 

She  can  efficiently  compute  the  decryption  key 

d  =  e~l  mod(p  - 1)(^  - 1). 

Alice  publishes  N  and  e,  and  keeps  d,  p,  and  q  secret.  If  Bob  wishes  to  send  Alice 
a  secret  message  M  (here,  just  a  number  less  than  N),  he  encrypts  it  as  C  =  M‘  mod  N . 
Alice  then  computes 

C  mod  N  *  Mde  mod  N  =  Mk{p-1){9^)+]  mod  N  m  M**(N)+1  mod  N  m  M  mod  N  , 

where  the  Euler  phi  function  <j>(N)  is  defined  as  the  number  of  positive  integers  less  than 
and  relatively  prime  to  N  (in  our  case  equal  to  (p  -  \){q  -  1)),  and  we  have  invoked 
Euler’s  theorem  [88]: 

gcd(a,  N)  =  1  =>  a^N'1  s  1  mod  N  . 

Since  (by  assumption  and  design)  M  is  less  than  N,  we  recover  the  message  uniquely. 
(N.B.  By  decomposing  an  arbitrary  message  into  packets  we  can  always  do  this.) 

The  RSA  problem  is  to  derive  M  given  N,  e,  and  C;  it  is  generally  suspected  [102] 
(though  not  known)  that  this  is  polytime  equivalent  to  factoring  (certainly  factoring 
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moduli  gives  efficient  solutions  of  RSA).  Therefore,  we  may  reinterpret  the  tables  from 
the  previous  section  as  security  parameters  for  the  RSA  cryptosystem,  and  provide  a  new 
context  in  which  the  factoring  problem  may  be  said  to  be  important. 

C.  THE  DISCRETE  LOGARITHM  PROBLEM 

If  p  is  a  prime  number,  the  multiplicative  group  Z'  is  cyclic,  and  the  discrete 
logarithm  problem  (DLP)  for  a  generator  a  and  arbitrary  unit  (3  is  to  determine  (the 
unique)  x  such  that  ax  =  f}  mod  p  [102].  The  DLP  generalizes  to  algebraic  curves  with 
group  structures  [87],  but  we  shall  not  consider  these  here. 

The  ElGamal  [55]  and  Digital  Signature  Algorithm  [59]  schemes  (among  others) 
rely  on  the  DLP.  Though  ElGamal  can  be  used  for  encryption,  we  sketch  here  only  the 
basis  for  the  authentication  protocol.  In  this  setting,  Alice  randomly  picks  two  elements 
a  and  x  in  the  cyclic  group  Z’  and  computes 

ft  =  a*  mod  p . 

Alice  publishes  p,  a  and  p  and  keeps  x  secret.  To  authenticate  a  message  M,  Alice 
chooses  a  secret  signature  exponent  k  and  computes 

a  =  ak  mod  p,  b  such  that  M  =  (ax  +  bk)  mod(/>  -  1) . 

The  public  pair  a,  b  is  the  signature.  Authentication  proceeds  along  the  following  lines: 

p°ah  mod  p  =  aaxabk  mod  p  =  aax+bk  mod  p  =  aM  mod  p . 

DSA  is  similar  in  its  operation,  and  in  fact  it  can  be  shown  [118]  that  they  are 
both  cases  of  a  general  DLP  signature  scheme  for  cyclic  groups. 

Shor  also  provided  in  [122]  an  quantum-algorithmic  solution  to  the  DLP  along 
much  the  same  lines  (and  with  a  basically  equal  increase  in  efficiency)  as  for  the 
factoring  problem;  Boneh  and  Lipton  [27]  obtained  an  analogous  for  algebraic  curves. 
Kitaev’s  solution  of  the  ASP  encompasses  these  [83]. 
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CLASSICAL  INFORMATION  THEORY 


A.  CLASSICAL  ENTROPY,  CHANNEL  CAPACITY,  AND  ERROR 
CORRECTION 

Shannon  [120]  initiated  the  study  of  information  theory;  its  basic  building  blocks 
are  the  notions  of  entropy  and  channel  capacity.  (The  interested  reader  may  also  refer  to 
[5]  or  [99]  for  brief  or  detailed  discussions,  respectively.)  Given  a  statistical  character¬ 
ization  of  a  discrete  channel — that  is,  given  a  random  variable  X  which  takes  as  its  values 
the  possible  transmissions  or  events  Ev...,En  and  their  (presumably  nonzero)  associated 
probabilities  px,...,pn,  a  reasonable  measure  7  of  information  transmitted  should  satisfy 
the  following  criteria: 

I.  Ej  j  >  max  i{Ej  )  >  0 

II.  /^n£)  j  =  ^{(Ej  )  for  independent  events. 

It  can  then  be  shown  that  I  must  be  of  the  form  /(£))  = -log2  Pj  (up  to  a  multipli¬ 
cative  constant)  and  so  its  expected  value — the  entropy — is 

H(X)  =  (l(X))  =  -±Pj\og2Pj. 

;= i 

In  this  context,  the  entropy  can  be  said  to  be  the  appropriate  measure  of  informa¬ 
tion  (properly,  of  uncertainty)  which  is  transmitted  through  a  communication  channel. 
We  may  also  define  the  respective  joint  and  conditional  entropies  for  X,  Y  by 


j  \  "  m 

Mff,  ij = - 1  I  Pjk  i°g2  Pjk 
/=  1 


n 

-2 pj 

j= i 


i  Pj(k)\o%lPj{k)  =  i  Pjffj(r) 
j  j=  i 


where  Pj(k)  =  P(Y  =  k\X  -  j )  is  a  conditional  probability  and  the  sum  in  parentheses  is 
called  the  equivocation.  It  turns  out  that  H(X,Y)  =  H(X)  + HX(Y)  =  H(Y)  + HY(X). 
Finally,  we  define  the  mutual  information  (Shannon’s  transmission  rate ) 
M(X,Y)  =  H(X)~ Hr(X)  =  H(Y)~ HX(Y):  since  the  conditional  entropy  is  a  measure  of 
residual  information,  the  mutual  information  is  what  it  should  be. 
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The  channel  capacity  C  is  then  the  maximum  possible  value  of  the  mutual 
information.  Shannon  proved  the  following  theorem: 

Let  a  discrete  channel  have  the  capacity  C  and  a  discrete  source  the 
entropy  per  second  H.  If  H  <  C  there  exists  a  coding  system  such  that  the 
output  of  the  source  can  be  transmitted  over  the  channel  with  an  arbitrarily 
small  frequency  of  errors  (or  an  arbitrarily  small  equivocation).  If  H  >  C  it 
is  possible  to  encode  the  source  such  that  the  equivocation  is  less  than 
H  -  C  +  8  where  £  is  arbitrarily  small.  There  is  no  method  of  encoding 
which  gives  an  equivocation  less  than  H  -  C. 

Establishing  the  existence  of  good  error-correcting  codes  is,  however,  a  far  cry 
from  having  (or  being  able  to  implement)  good  error-correcting  codes. 

The  simplest  example  of  an  error-correcting  code  is  the  triplet  parity’  code :  0  is 
encoded  as  the  codeword  000  and  1  as  111.  A  received  triplet  other  than  these  is 
weighted:  either  it  has  two  zeroes  or  two  ones,  according  to  which  it  is  changed  to  000  or 
1 1 1  accordingly.  This  is  a  specific  instance  (3,  1)  of  the  more  general  notion  of  a  linear 
binary  (n,  k)  or  (n,  k,  d)  code.  (Here,  d  refers  to  the  minimum  weight,  or  number  of  ones, 
in  a  codeword,  and  it  can  be  shown  that  an  ( n ,  k,  d)  code  can  correct  (d- 1)/2  or  fewer 
errors;  the  [integral]  number  t  of  errors  a  code  can  correct  is  referred  to  as  its  weight.) 
Such  a  code  C  is  specified  by,  for  example,  a  generator  matrix  G  which  can  be  assumed 
to  be  in  the  form  (ld\A),  where  Id  is  the  k-by-k  identity  matrix  and  A  is  a  k-by-(n-k)  matrix 
(equivalently,  the  dual  code  cimay  be  characterized  by  the  parity  check  matrix  (~AT\Id)). 
The  rows  of  the  matrix  G  are  then  the  basis  codewords,  and  a  generic  bit  string  x  of 
length  k  is  encoded  by  producing  the  linear  combination  of  basis  codewords  whose  first  k 
bits  equal  x.  Hence,  a  linear  code  can  also  be  described  by  the  span  of  its  basis 
codewords;  this  turns  out  to  be  the  view  most  naturally  suited  to  negotiating  the 
correspondence  between  classical  and  quantum  codes. 

The  decoding  process  is  generally  difficult:  each  codeword  has  a  large  co-set  of 
errorwords  which  (unless  the  code  were  engineered  with  viable  algorithmic  decoding 
schemes)  has  to  be  exhaustively  searched.  However,  special  decoding  techniques  exist 
(e.g.,  syndrome  and  Hamming  decoding)  which  can  dramatically  reduce  the  computa¬ 
tional  effort  involved.  Still,  when  n  is  large  enough,  an  ( n,k )  code  is  infeasible  to 
implement  classically  (if  for  no  other  reason  than  that  processing  with  such  a  code  is 
problematic  from  the  standpoint  of  buffer  size,  bus  speed,  etc.). 

It  turns  out  [112]  that  the  (2"'*  —  l, 3)  Hamming  and  (23,  12,  7)  Golay  codes  are 
the  only  nontrivial  binary  perfect  (i.e.,  capable  of  correcting  t  errors)  error-correcting 
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codes.  This  surprising  fact  serves  to  illustrate  that  the  theory  of  classical  error-correcting 
codes  is  deep  and  complex.  We  refer  the  reader  to  [1 1 1]  or  [1 12]  for  further  details. 
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